Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.
Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs. This is called log injection.
- Log Injection (OWASP)
- Logging Cheat Sheet (OWASP)
➡ Vulnerability description for reporting available in VulnDB (GitHub)
💡 Analytics uses client-side code to gather information, whereas most log file analysis tools only process server-side information. Analytics (e.g. Google Analytics) on client-side is normal.
Log injection should be in WSTG-INPV but is not part of the OWASP Testing Guide.